\subsection{Insight}
\label{sec:insight}

The problem with applying meaningful security labels is that not enough information is available on which to base a meaningful decision as to trust.  We want to know where this file comes from, who modified it and when - regardless of where it is.  We then contend that trust should be a function not of spatial characteristics like file location but on the longitudinal history of the file through all modifications.

We therefore seek to provide this information by including a history of all modifications with each file of interest.  Of course, this history must be immutable and integrity protected to be trustworthy itself.  Our hypothesis then is that storing a self-protecting file history can allow malicious modification to be detected from user space.  A second palpable effect is that race conditions in resolving a name will be avoided by changing the workflow for resolving the name from check-use to lock-check.
